[wp-trac] [WordPress Trac] #60191: Ampersand in non-entities such as &a; is not escaped
WordPress Trac
noreply at wordpress.org
Thu Jan 4 10:55:42 UTC 2024
#60191: Ampersand in non-entities such as &a; is not escaped
---------------------------+-----------------------------
Reporter: superpoincare | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: trunk
Severity: normal | Keywords:
Focuses: |
---------------------------+-----------------------------
Wordpress escapes ampersand as {{{&}}} in many places.
It checks if the ampersand is part of any entity before conversion, as the
ampersand in an entity shouldn't be escaped. However the regex also passes
things such as {{{&a;}}} which is not an entity, and wrongly doesn't
convert the ampersand there.
To correct that it has to be checked if the pattern matched is really an
entity. Which can be done by using something like html_entity_decode and
the decode for an entity would be different from the original string.
The block editor somehow right checks and prevents strings such as
{{{&a;}}} to pass but older posts and something inserted by plugins will
have this bug.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60191>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list